The Internet of Insecure Things: Hacking 'Smart Devices'
The "Internet of Things" is a fun buzz-phrase that describes non-computer devices with Internet connections, like your car, your refrigerator, or your thermostat. Unfortunately, companies that make such devices don't always have security in mind.
When we think of "Internet security," it's typically in the context of computers, maybe smartphones. But as more and more of our stuff starts surfing the Web, security becomes more of a problem.
Your Nest, Turned Against You
What am I talking about? August's Black Hat security conference was geared toward hacking "smart devices." Security researchers from the University of Central Florida demonstrated how they hacked a Nest thermostat: by plugging USB device into the Nest, they put it into "developer mode" and uploaded their own custom firmware. Admittedly, they needed physical access to the Nest, but that wouldn't be so hard: They could open a box, or boxes, in the store, upload the firmware, and call it a day.
Now, the Heatmiser is altogether different. It uses port forwarding, which reroutes network traffic to a different port. The Heatmiser is a wireless-enabled thermostat that you can remotely control from any computer. The security trade-off is that you must enable port forwarding on your router, which allows any attacker scanning your network to find a Heatmiser device and exploit its already-weak security.
It's More Likely Than You Think
In August, HP released a study showing that almost 75 percent of Internet-connected devices, including smart TVs and webcams, had security vulnerabilities. Some of them were easily solved; for example, by having a strong password to log into the device. This type of ludicrously silly exploit, while ludicrously silly, nevertheless resulted in the compromise of an estimated 100,000 "everyday consumer gadgets" used to send email spam in December 2013 and January 2014, said the security firm Proofpoint.
Other problems are less fixable; for example, the Heatmiser sends login credentials from your web browser back to the thermostat in plain text, with no encryption. Anyone sniffing your network's traffic would be able to get that information.
The Bash Bug
Last week, security researchers discovered a security flaw in bash, a Unix/Linux shell. CNN Money reports that the flaw affects anything running Linux -- which is a whole lot of smart devices. A single compromised smart device is a gateway into an otherwise secure and firewalled network and can be used to compromise other devices, smart or not.
So before you consider buying that Internet-connected light bulb, you may want to make sure it's secure. And you also might want to wonder why you're buying a light bulb with Internet access.
Related Resources:
- The Internet of Things Has Been Hacked, and It's Turning Nasty (Read Write Web)
- Can Your Fridge Be Hacked in the 'Internet of Things'? (CNBC)
- Big Brother is Watching: Lessons from Black Hat and Def Con (FindLaw's Technologist)
- Apple Can't Decrypt Data for Law Enforcement; Is It Enough? (FindLaw's Technologist)